Friday, August 1, 2014

QRadar - Extracting fields from Imperva's SecureSphere events

As mentioned in my previous post, no matter which tool you use for SIEM, there will be times when this information is not readily available. Just as this was for the FireEye device in the last post, it is the same for Imperva's SecureSphere. Do remember also, ensuring that you can have access to the raw events that is received by your SIEM is extremely important.Sample Event:<6>LEEF:1.0|Imperva|SecureSphere|10.0.0|Firewall None|Alert ID=912905|devTimeFormat=yyyy-MM-dd HH:mm:ss.S|devTime=2014-07-22 06:59:58.0|Alert type=Firewall|src=10.0.0.1|usrName=n/a|Application name=${Alert.applicationName}|Service name=${Alert.serviceName}|Alert Description=TCP - TCP Unexpected SYN|Severity=High|Simulation Mode=false|Immediate Action=None|Event ID=4238139139125767123|dst=10.0.0.2|dp=443|Server Group=securitynik_servers|Affected Application=|Affected Application (violation)=$item.alert.applicationName|HTTP Method=|HTTP Host=|Query=Let's try to extract the following fields.Alert DescriptionAlert IDSeveritySimilarly to the previous post, we will "Extract Property" from the eventsProperty Type: Regex basedProperty Name: Alert DescriptionField Type: AlphaNumericDescription: Alert Description as extracted from the raw Imperva LogLog Source Type: Imperva SecureSphereLog Source: AllCategory: High Level: AnyLow Level Category AnyRegex: Alert Description=(.*?\|) - Capture Group 1EnabledProperty Name: Alert ID:Field Type: AlphaNumericDescription: Alert ID FieldLog Source Type: Imperva SecureSphereLog Source: AllCategory: High Level: AnyLow Level Category AnyRegex: Alert\sID=([0-9]*) - Capture Group 1EnabledProperty Name: SeverityOPtimized parsing for rules, reports and searchesField Type: AlphaNumericDescription: SeverityLog Source Type: Imperva SecureSphereLog Source: AllCategory: High Level: AnyLow Level Category AnyRegex: (Severity\=)([a-zA-Z]*) - Capture Group 2EnabledVoila!!! Just like that, we've extracted data from Imperva's SecureSphere which was not readily parsed by QRadar.Regex Refernces:http://www.autohotkey.com/docs/misc/RegEx-QuickRef.htmhttps://www.tcl.tk/man/tcl8.5/tutorial/Tcl20.htmlhttp://www.adobe.com/devnet/dreamweaver/articles/regular_expressions_pt1.htmlhttp://www.rexegg.com/

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis